Security Information and Event Management – SIEM

SIEM representation.
SIEM graphic from HP

Initially SIEM (Security Information and Event Management) tools were designed for threat management against an external threat environment against network and systems through real-time analysis of events to support incident response (Security Event Management). There were also vendors that provided long-term storage, historical analysis and trending against a large database of logs to support forensic activities (Security Information Management). Definition from TechBudda in 2007.

Security Information and Event Management solutions or SIEM solutions provide real-time analysis of security alerts generated by network hardware and applications so that companies can respond to attacks faster and organize the big amount of log data. It is essentially nothing more than a management layer above your existing systems and security controls that connects and unifies the information contained in your existing systems allowing them to be analyzed and cross-referenced from a single interface. SIEM has, the more effective it will be in helping you make effective detections, analyses, and responses in your security operations.

AlienVault has released a great resource explaining what SIEM is for beginners.

SIEM systems collect logs and other security-related documentation for analysis since most SIEM systems deploy multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment and even specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console, which performs inspections and flags anomalies. To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a profile of the system under normal event conditions.

SIEM systems are typically expensive to deploy and complex to operate and manage and require a high level of technical expertise. SIEM vendors require extensive partner training and certification so count on the partners below to get SIEM into your company.

The 2014 Gartner Magic Quadrant for Security Information and Event Management published in June 2014 has IBM Security, HP, Splunk, Mcafee, and LogRhythm as Leaders.